stunnel log shows SSLv3 protocol level even when TLSv1 was negotiated
I'm running stunnel in server-mode with options "NO_SSLV2" and "NO_SSLV3" and sslVersion=all. My client also explicitly disables SSLv2 and SSLv3. My client's ssl-log (-Djavax.net.debug=ssl) confirms that, during handshake and for application data, the highest TLS protocol version is being used. How come, stunnel log still shows "SSLv3" ? 2015.02.03 14:42:46 LOG5[8415:140561397376768]: ldaps-in accepted connection from X.X.X.X:65158 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): before/accept initialization 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 read client hello A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write server hello A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write certificate A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write server done A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 flush data 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 read client key exchange A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 read finished A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write change cipher spec A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write finished A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 flush data 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 9 items in the session cache 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 client connects (SSL_connect()) 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 client connects that finished 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 client renegotiations requested 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 12 server connects (SSL_accept()) 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 9 server connects that finished 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 server renegotiations requested 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 session cache hits 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 external session cache hits 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 session cache misses 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 session cache timeouts 2015.02.03 14:42:46 LOG6[8415:140561397376768]: SSL accepted: new session negotiated 2015.02.03 14:42:46 LOG6[8415:140561397376768]: Negotiated ciphers: AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 Is my client's ssl-log wrong? Or stunnel's? Kind regards, Christian Tenvenne
On 02/03/2015 04:00 PM, christian.tenvenne@lhsystems.com wrote:
My client's ssl-log (-Djavax.net.debug=ssl) confirms that, during handshake and for application data, the highest TLS protocol version is being used.
How come, stunnel log still shows "SSLv3" ?
The protocols etc. that happen "under the hood" haven't been redefined *completely from scratch* for TLS, so "old" names reappear when you dig into the details. OpenSSL talks about "SSLv3" when making a TLS 1.2 connection, too:
$ ( sleep 1 ; echo "HEAD / HTTP/1.0" ; echo "" ; sleep 2 ) | \
openssl s_client -connect www.nec-store.de:443 -tls1_2 -state 2>&1 \ | egrep '(SSL|TLS)v' SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2
Regards, J. Bern -- *NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/> Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
participants (2)
-
christian.tenvenne@lhsystems.com -
Jochen Bern